Active Directory Defaults Subject to Relay Attacks, Microsoft Warns
Microsoft on Wednesday advised organizations using Active Directory to take a couple steps to protect against Kerberos resource-based constrained delegation relay attacks.
The steps to take and the advice aren't exactly new, as Microsoft had offered similar advice in 2019 with Security Advisory ADV190023. Microsoft also hardened Lightweight Directory Access Protocol (LDAP) channel binding on Active Directory domain controllers via Windows updates in 2020. However, this hardening stopped short from actually making the LDAP signing or channel binding policy changes that are needed.
Microsoft's warnings are resurfacing again because of a GitHub-published hacking tool, called "KrbRelayUp," created by security researcher Mor Davidovich. It combines various attack tools to abuse Kerberos constrained delegation, which was originally designed to restrict what a server could do in response to a user.
The KrbRelayUp tool, which was published on April 24, 2022, can give attackers system privileges through its Kerberos resource-based constrained delegation exploit capabilities.
"Resource-based constrained delegation (RBCD) represents the key to this attack method, enabling the tool to impersonate an administrator and eventually run a code as the SYSTEM account of a compromised device," the announcement explained.
Vulnerability Exists for 'Hybrid' Azure AD Users
Organizations that use Azure AD purely, without synchronizing it with local Active Directory, aren't subject to these Kerberos resource-based constrained delegation attacks, the announcement noted.
However, if an organization uses Active Directory, including in its "hybrid" state, synced with Azure AD, then they are subject to the attacks.
Here's Microsoft's explanation to that effect:
It's important to note that KrbRelayUp cannot be used in attacks against organizations that are only using Azure AD. However, in hybrid identity environments where organizations synchronize their domain controllers with Azure AD, if an attacker compromises an Azure virtual machine using a synchronized account, they'll receive SYSTEM privileges on the virtual machine.
Steps To Take
Microsoft advised organizations using Active Directory to take a couple of steps to protect against possible Kerberos resource-based constrained delegation types of attacks.
Organizations should turn on channel binding and signing for LDAP as one measure of protection.
Next, organizations also should address an attack approach that lets attackers create accounts on networks. At present, a default setting in Active Directory lets any user "create up to 10 computer accounts associated with them." This default setting can be exploited by attackers, who use it to set up fake computer accounts.
A key measure to take is to set an Active Directory ms-DS-MachineAccountQuota attribute to "0" to prevent attackers from setting up such accounts.
Microsoft touted its security tools for detecting and blocking these Kerberos resource-based constrained delegation types of attacks.
Microsoft Defender Antivirus can detect the use of the KrbRelayUp tool, labeling it as malware.
The Microsoft 365 Defender service can "detect and block this threat across the stages of the attack chain," the announcement indicated.
Microsoft Defender for Identity (from version 2.180) detects the first three stages of such attacks "by monitoring anomalous behavior as seen by the domain controller."
Lastly, Microsoft Defender for Endpoint checks for "suspicious LDAP and Kerberos requests to Active Directory domain controllers," which will detect "attacks using KrbRelayUp."
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.